Control Policies

Policies are used to manage your virtual environment. Control policies are used to check for a specific condition and perform an action based on the outcome. For example:
* Prevent virtual machines from running without an administrator account.
* Prevent virtual machines from starting if certain patches are not applied.
* Configure the behavior of a production virtual machine to only start if it is running on a production host.
* Force a SmartState Analysis when a host is added or removed from a cluster.

A control policy is a combination of an event, a condition, and an action. This combination provides management capabilities to your virtual environment.
* An event is a trigger to check a condition.
* A condition is a test triggered by an event.
* An action is an execution that occurs if a condition is met.

Creating Control Policies

Create control policies by combining an event, a condition, and an action. Plan carefully the purpose of your policy before creating it. You can also use a scope expression that is tested immediately when the policy is triggered by an event. If the item is out of scope, then the policy does not continue on to the conditions, and none of the associated actions run.

1. Navigate to Control → Explorer.
2. Click the Policies accordion, and select Control Policies.
3. Select either Host Control Policies or VM Control Policies.
4. Click (Configuration), (Add a New Control Host/Vm Policy).
5. Type in a Description.
   
6. Uncheck Active if you do not want this policy processed even when assigned to a resource.
7. You can enter a Scope here (You can also create a scope as part of a condition, or not use one at all). If the host or virtual machine is not included in the scope, no actions will be run.
8. In the Notes area, add a detailed explanation of the policy.
9. Click Add. You are brought to the page where you add conditions and events to your new policy.
   
10. Click (Configuration) to associate conditions, events, and actions with the policy.

Editing Basic Information, Scope, and Notes for a Policy

As your enterprise's needs change, you can change the name of a policy or its scope. If the items being evaluated are out of scope, policy processing stops and no actions run.

1. Navigate to Control → Explorer.
2. Click the Policies accordion, and select the policy to edit.
3. Click (Configuration), (Edit Basic Info, Scope, and Notes).
4. In the Scope area, create a general condition based on a simple attribute. Or, click on an existing expression to edit it. Based on what you choose, different options appear. Recall that a scope is optional for a policy.
   
   • Click Field to create criteria based on field values.
     
   • Click Count of to create criteria based on the count of something, such as the number of snapshots for a virtual machine, or the number of virtual machines on a host.
     
   • Click Tag to create criteria based on tags assigned to your resources. For example, you can check the power state of a virtual machine or see if it is tagged as production.
     
   • Click Find to seek a particular value, and then check a property. For example, finding the Admin account and checking that it is enabled. Use the following check commands:
     • Check Any: The result is true if one or more of the find results satisfy the check condition.
     • Check All: All of the find results must match for a true result.
     • Check Count: If the result satisfies the expression in check count, the result is true.
       
   • Click Registry to create criteria based on registry values. For example, you can check if DCOM is enabled on a Windows System. Note that this applies only to Windows operating systems. Registry will only be available if you are editing a VM Control Policy.
     
5. Click (Commit Expression Element Changes) to add the scope.
6. In the Notes area, make the required changes.
7. Click Save.

Copying a Policy

1. Navigate to Control → Explorer.
2. Click the Policies accordion, and select the policy you want to copy.
   
3. Click (Configuration), (Copy this Policy to new Policy).
4. Click OK to confirm.

Note
The new policy is created with a prefix of Copy of in its description, and it can be viewed in the Policy accordion.

Creating a New Policy Condition

If you have not already created a condition to use with this policy, you can create one directly from inside the policy. A condition can contain two elements, a scope, and an expression. The expression is mandatory, but the scope is optional. A scope is a general attribute that is quickly checked before evaluating a more complex expression. You can create a scope at either the policy or condition level.

1. Navigate to Control → Explorer.
2. Click the Policies accordion, and select the policy you want to create a new condition for.
3. Click (Configuration), (Create a new Condition assigned to this Policy).
4. Type in a Description for the condition. It must be unique to all the conditions.
   
   • Click Field to create criteria based on field values.
     
   • Click Count of to create criteria based on the count of something, such as the number of snapshots for a virtual machine, or the number of virtual machines on a host.
     
   • Click Tag to create criteria based on tags assigned to your resources. For example, you can check the power state of a virtual machine or see if it is tagged as production.
     
   • Click Find to seek a particular value, and then check a property. For example, finding the Admin account and checking that it is enabled. Use the following check commands:
     • Check Any: The result is true if one or more of the find results satisfy the check condition.
     • Check All: All of the find results must match for a true result.
     • Check Count: If the result satisfies the expression in check count, the result is true.
       
   • Click Registry to create criteria based on registry values. For example, you can check if DCOM is enabled on a Windows System. Note that this applies only to Windows operating systems. Registry will only be available if you are editing a VM Control Policy.
     
5. Click (Commit expression element changes) to add the scope.
6. Click (Edit this Expression) in the Expression area. Based on what you choose, options display as per the choices presented in the Scope area detailed above.
7. Click (Commit Expression Element Changes) to add the expression.
8. In Notes, type in a detailed explanation of the condition.
9. Click Add.

Note
The condition is created and is assigned directly to the policy, however, the condition can be assigned to other policies.

Editing Policy Condition Assignments

1. Navigate to Control → Explorer.
2. Click the Policies accordion, and select the policy you want to assign conditions to.
3. Click (Configuration), (Edit this Policy's Condition assignments).
4. From the Condition Selection area, you can assign conditions to the policy, remove all conditions from the policy, or remove specific conditions from the policy.
   
   • To add one or some conditions, select all the conditions you want to apply from the Available Conditions box. Use Ctrl to add multiple conditions to a policy. Then, click (Move selected Conditions into this Policy).
   • Click (Remove all Conditions from this Policy) to unassign any conditions from this policy.
   • To remove one or some conditions, select all the conditions you want to remove from the Policy Conditions box. Use Ctrl to select multiple conditions. Then, click (Remove selected Conditions from this Policy)
5. Click Save.

Editing Policy Event Assignments

1. Navigate to Control → Explorer.
2. Click the Policies accordion and select the control policy you want to assign events to.
3. Click (Configuration), (Edit this Policy's Event assignments).
4. Check all the events you want to assign to this policy.
5. Click Save.

Assigning an Action to an Event

1. Navigate to Control → Explorer.
2. Click the Policies accordion, and select the policy you want to assign actions to.
3. From the Events area, click on the description of the event you want to assign an action to.
4. Click (Configuration), (Edit Actions for this Policy Event).
5. Select all the appropriate actions from the Available Actions box, inside the Order of Actions if ALL Conditions are True. These are the actions that will take place if the resources meet the Condition of the Policy.
   

Note
Each selected action can be executed synchronously or asynchronously; synchronous actions will not start until the previous synchronous action is completed, and asynchronous action allows the next action to start whether or not the first action has completed. Also, at least one CloudForms Management Engine server in the CloudForms Management Engine zone must have the notifier server role enabled for the trap to be sent.

6. Click the add button (), then:
   • Click the action, then click (Set selected Actions to Asynchronous) to make it asynchronous.
   • Click the action, then click (Set selected Actions to Synchronous) to make it synchronous. If creating a synchronous action, use the up and down arrows to identify in what order you want the actions to run.
7. Select all the actions from the appropriate Available Actions box, inside of the Order of Actions if ANY Conditions are False. These are the actions that take place if the resources do not meet the condition of the policy.
8. Click Save.

Once your policy is created, you can now add it to a Policy Profile. Then, the Policy Profile can be assigned to your Provider, Host, and Virtual Machines.